#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

38 C
Dubai
Sunday, July 20, 2025
HomeTopics 2Cyberespionage SpyingPhish and Chips: China‑Aligned Espionage Surge Targeting Taiwan Semiconductor Industry

Phish and Chips: China‑Aligned Espionage Surge Targeting Taiwan Semiconductor Industry

Date:

Related stories

Emergency Alert: Critical Unauthenticated RCE Discovered in Cisco ISE/ISE‑PIC

Cisco has patched three severe unauthenticated remote code execution...

NVIDIA Warns of Rowhammer GPU Risk: Activating ECC on A6000 and Enterprise GPUs Essential

NVIDIA has published a Rowhammer Security Notice (updated 9 July 2025)...
spot_imgspot_imgspot_imgspot_img

Between March and June 2025, Proofpoint researchers tracked three distinct China‑aligned threat actors launching spear‑phishing campaigns against Taiwanese semiconductor firms, design houses, service providers, and financial analysts. These coordinated attacks underscore China’s intensified cyber‑espionage efforts aimed at overcoming U.S. and Taiwanese export controls and pose broader implications for global cybersecurity services and supply‑chain security in MEA markets.

Proofpoint’s “Phish and Chips” report, released 16 July 2025, details how state‑aligned hackers—tracked as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp—targeted the Taiwanese semiconductor ecosystem from March–June 2025. Each group executed employment-themed phishing or credential-stealing campaigns tied to espionage efforts.

Stepped-Up Espionage

Proofpoint attributes this intensification to China’s strategic drive towards semiconductor self-reliance amplified after new U.S. and Taiwanese export restrictions were imposed earlier in 2025.

Campaigns & Technical Tactics

UNK_FistBump: Job-Lure Spear‑Phishing

From May–June 2025, UNK_FistBump used recruiter-themed emails—sent from compromised Taiwanese university addresses—to entice semiconductor firms with resumes. LNK payloads delivered either Cobalt Strike Beacons or the custom Voldemort backdoor via DLL sideloading.

  • Chain 1 (Cobalt Strike): RC4-encrypted loader (jli.dll) sideloaded using javaw.exe to communicate with C2 at 166.88.61[.]35.
  • Chain 2 (Voldemort): Google Sheets used for exfil, mimicking APT41 (TA415) behavior, but with custom RC4 and DLL loader.

UNK_DropPitch: Investment‑Analyst Bait

In April–May 2025, UNK_DropPitch targeted financial analysts with fake collaboration emails containing DLL‑stealing zip files. This delivered the HealthKick backdoor, communicating over FakeTLS to IP 82.118.16[.]72. In a second wave, it delivered raw TCP reverse shells controlling Intel EMA RMM tools.

UNK_SparkyCarp: AITM Phishing

In March 2025, UNK_SparkyCarp used adversary‑in‑the‑middle kits to phish semiconductor employees, mimicking login portals to capture credentials.

MITRE ATT&CK Mapping & IOCs

| Tactic            | Technique                           | Code         |
|------------------|--------------------------------------|--------------|
| Initial Access    | Spearphishing Attachment            | T1566.001    |
| Execution         | DLL Side-loading via LNK/C2        | T1218.019    |
| C2                | Cobalt Strike Beacon, FakeTLS      | T1071.001    |
| Exfiltration      | Google Sheets API, Reverse Shell   | T1041        |
| Persistence       | Scheduled Tasks, Registry Run Keys| T1053.005, T1547.001 |

Sample IOCs: C2 IPs 166.88.61.35, 82.118.16.72; domains like api.moctw.info, accshieldportal.com; SHA‑256s of LNK and DLL payloads.

MEA Implications & Global Context

Regional Risks

Taiwan’s chip industry is a key node in global electronic supply chains, including MEA. The same spear-phishing methods can target MEA chipmakers, electronics firms, and their financial partners. MEA regulators-such as UAE’s NESA, Saudi NCA, and Kenya’s DMCA-should reinforce their cybersecurity training for supply‑chain resilience.

International Response

Taiwan’s ongoing cybersecurity reforms-expanding Incident Readiness capabilities and partnering with CISA and Japan’s NISC-mirror MEA’s increasing cooperation with global agencies.

Expert Perspectives

“We’ve seen entities not previously targeted now receiving phishing emails,” said Mark Kelly, Proofpoint threat researcher. “This signals elevated strategic focus.”
(Reuters)

Taiwan-based TeamT5 noted, “Targeting of semiconductors and the supply chain… is a persistent threat.”

Actionable Takeaways

  1. Strengthen Email Authentication – Enforce DMARC, DKIM, SPF and monitor anomalies.
  2. Spear‑Phishing Simulations – Regularly test with supply‑chain mailing lists.
  3. Endpoint Detection – Monitor DLL sideloading, LNK execution, scheduled task creation.
  4. Network Monitoring – Alert on uncommon C2 channels like Google Sheets API.
  5. Zero‑Trust Architecture – Micro-segment personnel systems and restrict lateral movement.
  6. Supply‑Chain Oversight – Assess vendors with geopolitical risk exposure.
  7. Incident Collaboration – Establish cross-border channels with Taiwanese agencies.
  8. Threat Intelligence Integration – Ingest IOC feeds from Proofpoint/sec‑vendors.
  9. Awareness Campaigns – Educate finance and HR staff on advanced phishing.
  10. Regular Audits – Assess controls under ISO/IEC 27001, NESA, NCA frameworks.

Conclusion

The Proofpoint “Phish and Chips” findings show a qualitative shift in China‑aligned cyber‑espionage: multiple concurrent campaigns, evolving malware, and focus beyond first-tier firms. For CISOs in MEA and beyond, this emphasizes that semiconductor supply‑chain cybersecurity is global not localized. The time for pentesting, supply‑chain vigilance, and cross‑border cybersecurity awareness is now, to stay ahead of geopolitical cyber threats.

Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here